Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Validation XML Schemas do not forbid file system access (XXE) #1021

Closed
brianwrf opened this issue Sep 27, 2018 · 7 comments
Closed

API Validation XML Schemas do not forbid file system access (XXE) #1021

brianwrf opened this issue Sep 27, 2018 · 7 comments
Assignees
Labels
bug
Milestone

Comments

@brianwrf
Copy link

@brianwrf brianwrf commented Sep 27, 2018

Version

  • vert.x web: <= 3.5.3

Context

Just found a potential XXE vulnerability in vertx-web as show below, it seems function isValid didn't add any protection from XXE vulnerability when parsing XML document.

https://github.com/vert-x3/vertx-web/blob/3.5.3/vertx-web-api-contract/src/main/java/io/vertx/ext/web/api/validation/impl/XMLTypeValidator.java#L34

Mitigation

Follow the OWASP guide below which provides concise information to prevent this vulnerability. https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

@pmlopes pmlopes self-assigned this Sep 27, 2018
@pmlopes pmlopes mentioned this issue Sep 28, 2018
@pmlopes pmlopes added the to review label Sep 28, 2018
@vietj vietj added this to the 3.5.4 milestone Sep 28, 2018
@pmlopes pmlopes removed the to review label Sep 28, 2018
pmlopes added a commit that referenced this issue Sep 28, 2018
Issues/1021
@vietj vietj mentioned this issue Sep 28, 2018
22 of 22 tasks complete
@brianwrf
Copy link
Author

@brianwrf brianwrf commented Sep 28, 2018

@pmlopes Thanks for the fast fix. Is there a CVE announcement on this issue?

Cheers,
Brian

@pmlopes pmlopes changed the title Potential XXE vulnerability in vertx-web API Validation XML Schemas do not forbid file system access (XXE) Sep 28, 2018
@vietj
Copy link
Contributor

@vietj vietj commented Sep 28, 2018

@brianwrf there might be one indeed

@brianwrf
Copy link
Author

@brianwrf brianwrf commented Sep 28, 2018

@vietj Thanks for your response. Can you kindly please keep me updated if the CVE announcement is ready?

@vietj
Copy link
Contributor

@vietj vietj commented Sep 28, 2018

it will be part of the 3.5.4 release notes, so just watch this

@pmlopes
Copy link
Member

@pmlopes pmlopes commented Sep 28, 2018

Note

This issue is not affected by user/application input, but only by badly crafted application configuration. Users using the api contracts module with the default settings are not affected, only if explicitly enabled the XML validation and provided a malicious XSD as input.

@brianwrf
Copy link
Author

@brianwrf brianwrf commented Sep 28, 2018

@vietj @pmlopes Thanks for the confirmation.

@vietj
Copy link
Contributor

@vietj vietj commented Oct 3, 2018

This has been identified as CVE-2018-12544 - the CVE has not yet been fulfilled at the moment of writing this but it will be soon

@vietj vietj added the bug label Oct 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.